Will mHealth app certification program help buyers beware?

Certification is not just for EHR systems anymore — now it’s for mobile health apps, too. Happtique, which runs a mobile health app store targeted to the health care industry, has announced plans to develop a certification program for mHealth apps.

The program is currently being developed with guidance from a panel of “blue ribbon” experts, chaired by Howard Luks, M.D., an orthopedic surgeon and associate professor of orthopedic surgery at New York Medical College. The other three panel members are Dr. Franklin Shaffer, chief executive officer of CGFNS International, Shuvo Roy, a biomedical scientist and technologist and Dave deBronkart, a.k.a. e-Patient Dave.

The goal of the certification program is to develop a set of quality and performance standards that can be used to evaluate mHealth apps. However, it’s not clear how those standards will be determined, or what will actually be certified. The panel will be developing the certification program over the next six months. Some of the panelists have indicated that “they’re looking to include criteria for app quality, reliability, usability, consumer engagement, value to the user, cost, simplicity, and interoperability,” according to an article on FierceMobileHealthcare.

Luks told FierceMobileHealthcare the idea is that apps in the Happtique store would be graded granularly, giving them more than just a “thumbs-up” or “thumbs-down” rating.

Providers and hospitals have been asking for a “bona fide mhealth app certification program,” Happtique President Corey Ackerman told eWeek.com, noting that the FDA is unable to evaluate 15-20% of mobile health applications, leaving the door open for Happtique to add additional evaluations.

It will be interesting to see if the Happtique certification carries any real weight with users, and if the certification criteria will be updated on a regular basis. Until then, users will have to make do with crowd-sourced ratings and caveat emptor.

Las Vegas HIMSS 2012 game plan shaping up

It’s the third time around for SearchHealthIT at the Health Information Management Systems Society annual meeting - HIMSS 2012. Unlike some of our pals in the health IT blogosphere, we can’t post our itineraries, because things change up to the last minute as news breaks and plans evolve. But we can tell you that, among the highlights we’re planning to hit (and miss):

• The SearchHealthIT #HCsm Tweetup. If you have any idea what that means and have an interest in hanging with our Tweeps at the trés cool Seahorse Lounge Monday night, register here.
• Stage 2 meaningful use everything. Would CMS just come out and release the proposed stage 2 criteria already? There are so many stage 2 educational sessions booked for this HIMSS, its impending release a worse-kept secret than Peyton Manning’s impending release from the Indianapolis Colts.
• Biz Stone’s keynote. Just kidding, unless the Twitter founder says he plans to share that he’s discovered how to connect HIEs one to another while maintaining compliance with each individual territory’s differing privacy and consumer-protection rules. #EpicFail. Although, of course, most of the SearchHealthIT army deployed to HIMSS 2012 will be live tweeting from educational sessions and the exhibit floor, so I’ll just say it here and get it over with: Thanks, Biz. But the keynote thing? To be fair, I skipped Michael J. Fox’s keynote last year, too.
• Conversations with actual IT leaders from health care providers, from which we’ll create stories loaded with advice on several thorny implementation topics you’re probably struggling with right now. And if we told you exactly which topics in advance of the show, we’d have to make your computer self-destruct à la Mission Impossible. And who wants that mess?
• Executive podcasts. Interspersed among the interviews, educational sessions, mixers and booth meet-ups in our plans, we’ve snared a couple big-thinking leaders for podcasts. Stay tuned for some - we hope - worthwhile discussions about health IT trends CIOs should monitor.

And then there’s this little matter of a contest I’ve agreed to enter, involving a Fitbit and trying to out-walk fellow Health IT reporter Brian Ahier. HIMSS attendees will be able to get into the action and enter to win their own. Just in time, too, as I’m still walking off a month’s worth of dietary transgressions committed during the holidays. More details on those shenanigans will be forthcoming.

Physicians, patients share accountability for PHI safety

The relationship between patients and physicians — particularly with social media’s growing role — is a hot topic in today’s health care space. Patients want access to their medical records through new channels, such as instant messaging and Facebook, but some physicians aren’t too keen on this idea given the risk of personal health information (PHI) being leaked.

To help balance these two poles, a webinar hosted by technology consulting firm Perficient — titled “How to Protect Patient Data in an Increasingly Social Healthcare Industry” — focused on why physicians and patients should be cognizant of health care social media, as well as HIPAA rules and implementing security measures.

Health care social media can still be a “visit.” For physicians that do partake in social media, they will often set up personal Internet portals to interact with patients through different mediums such as instant messaging and Skype, said Anand Sangtani, solution architect at Perficient. Further, patients must be aware that the disclosure of information in a social format has to be protected as if it were done in a traditional, face-to-face office visit.

Patients must be aware, too, not just physicians. Steve Nitenson, senior solutions architect at Perficient, urged patients to “be diligent” in reviewing their medical information. Documentation, such as signing your name, is secondary to understanding the paperwork that comes with medical visits. Moreover, if a patient asks a physician or practice for a copy of their medical records, refusal is not an option.

Pay close attention to HIPAA regulations. HIPAA regulations are the backbone of the patient and physician relationship because it enforces how PHI can be exchanged. This is especially true when patients request their information.  Nitenson believes patients have “peace of mind” when they get their PHI electronically within the 72-hour window as mandated by HIPAA regulations.

Organizations should set up a security committee. The everyday patient has every right to be concerned over the privacy of their PHI. However, a data breach regarding public figures could be seen as fuel to the fire. Nitenson used the example of UCLA Medical Center’s data breach, where hospital employees looked at the medical records of many celebrities including Tom Cruise, Britney Spears and Maria Shriver without authorization. With a HIPAA violation and subsequent fine in tow, it’s unclear whether a security committee was set up. Nitenson also pointed out that hospitals should appoint an information security officer to take control of conducting a risk analysis.

More than 19 million Americans affected by health care data breach

More than 19 million Americans have been affected by a health care data breach since September 2009, when tougher HIPAA compliance laws went into effect after the HITECH Act passed.

Under the HITECH Act, HIPAA covered entities and business associates must disclose any health care data breach that has affected more than 500 people. According to Gov Info Security, nearly 400 such incidents have been reported.

More than half of these incidents, 55%, involved lost or stolen electronic devices that had not been encrypted. While the HITECH Act does not explicitly require the use of encryption technology, it does state that the loss of data that has been encrypted does not constitute a data breach. In other words, data loss is not hard to prevent.

An effective enterprise encryption strategy should include software, databases and networks in addition to protected health information itself and mobile devices. It also helps to have a social media policy in place to avoid the embarrassment of a health care data breach on Facebook. Such a breach is unlikely to meet the 500-victim threshold for reporting to the U.S. Department of Health and Human Services, but the negative publicity could be just as damning.

Mobile communications drive medical data breach increase

By Greg McInerney, Editorial Assistant

A combination of an increase in mobile device usage and the development of doctor-patient interaction via certain social network sites will put a greater emphasis on security of patient information in 2012, according to industry experts.

The last few years have seen an increase in the use of technology within the health care industry in order to engage with patients. However, this fast-paced development has meant the balance between ease of use and risk has not quite been achieved. A report published by the Ponemon Institute and ID Experts Corp. late last year estimated the total cost of medical data breaches to be around $6.5 billion annually.

This sizeable figure is largely self-inflicted, according to Christine Marciano, data privacy and cyber risk insurance specialist at Cyber Data-Risk Managers LLC.

“The health care industry as a whole has been quite slow to respond to this rapid progression in the use of mobile technology in particular. [A] recent report showed only 49% of health care providers were adequately secured against data breach threats,” Marciano said.

Marciano believes 2012 could be a big year for data insurers like her own company, as regulating bodies begin to crack down on health care providers’ lack of data security provisions. Data insurance premiums provided to the health care industry by companies such as Cyber Data-Risk Managers depend on a number of factors, including number of patients, the size of the firm in question and its revenue.

“An annual premium of, say, $600,000 is going to prove to be a relatively inexpensive investment for a large hospital, considering the fallouts that can occur from the data breach of confidential information.”

These fallouts might take the form of increased lawsuits stemming from failure to secure private health care data, although Kirk Nahra, partner at the law firm Wiley Rein LLP, is quick to point out that very few — if any — of these medical data breaches have reached an actual courtroom thus far.

“Most data security breaches don’t end up being a real problem so long as the health care provider has an aggressive post response plan in place,” Nahra said. The majority of work I do in relation to health care data breaches is concerned with breach response rather than matters of actual litigation.”

However, Nahra is not dismissive of the possible damage that medical data breaches could cause in 2012.

“There is no doubt that health care providers need to be more aware of their legal responsibilities when it comes to these matters,” he said. “The sensitive nature of the information being stored requires a great level of attention to be paid to its secure storage.”

(Editor’s note: This is the first blog entry by Greg McInerney, an editorial assistant at TechTarget. He will be regularly contributing to Health IT Pulse over the next few months. Welcome aboard, Greg!)

GAO puts quality group under microscope for EHR Incentive Program lag

The General Accountability Office (GAO) last week issued a report focused on health IT and meaningful use. It addressed how and why U.S. Department of Health and Human Services (HHS) contractor National Quality Forum (NQF) lagged behind deadlines for delivering electronic versions of meaningful use criteria.

Interesting. While we thought the proposed delays in meaningful use stage 2 enforcement was the Center for Medicare and Medicaid Services (CMS) showing a benevolent side — giving a break to beleaguered health care CIOs already hip-deep in new tech implementations for ICD-10, HIPAA compliance and accountable care organization or related quality-based incentive programs offered by private insurers — it appears as if benevolence might not have been the primary motivator on the part of the federal health insurance behemoth.

While the nuts and bolts of the report are summarized elsewhere on the Web for those who don’t feel like downloading the 81-page GAO report from the horse’s mouth (such as here, here and here), the upshot was this: CMS got a raw deal, because the EHR Incentive Program quality measures came in late, exceeded estimated development costs and 44 of 63 measures contained errors.

HHS wasn’t exonerated in this mess, completely. While NQF failed to report on problems it was having developing the criteria, GAO points out that CMS should have been monitoring the projects more closely as written into the original contract, and yo, it’s never too late to start - so let’s start doing that that now, moving forward.

“To help ensure that HHS receives the quality measures it needs to effectively implement its quality measurement programs and initiatives within required time frames,” the report’s summary reads, “the Secretary of HHS should use monitoring tools required under the NQF contract to obtain detailed and timely information on NQF’s performance and use that information to inform any appropriate changes to time frames, projects, and cost estimates for the remaining contract years.”

No kidding.

For its part, the NQF — given the opportunity to respond to the report’s findings and get the last word in a letter published as an appendix to the document — did own up to the delays and didn’t dispute the negative findings. However, NQF CEO Janet Corrigan did point out in the letter that the uncertainties and “novelty” of the project were at least in part responsible for the cost overruns of initial estimates, and slack for such uncertainties was built into the contract.

As for the delays, she blamed the NQF’s “consensus-based environment,” among other things - such as HHS’s “lack of a comprehensive plan for using the work NQF has produced under contract.”

Speaking of health IT contractors, deadlines, dollars and cents, and all that fun stuff, anyone wondering what other federal health IT contracts are kicking around…there’s a Web dashboard for that. Knock yourself out. Maybe with the GAO sniffing around and examining how well the contractors utilize monitoring and progress reporting tools, such dashboards will publicly reveal more information on what’s happening behind the curtain of these giant CMS projects that potentially affect every day work of health IT and health care knowledge workers.

ECRI Institute offers health care social media tips

It is trending whether you like it or not — health care social media has gained much traction over the last five years. So much so, ECRI Institute — a nonprofit research organization aimed at improving patient care based in Plymouth Meeting, Pa. — recently released “Social Media in Healthcare,” a free online report of recommendations to “maximize opportunities and reduce risk” for organizations using social media.

The report suggests that adopters of social media should be careful of risks, while those who have yet to jump on might realize its upside. The report addresses three key questions to help organizations enter the health care social media market: How engaged an organization will be; who its audience will be; and who will manage social media collectively help to meet consumer demands.

“Passive monitoring,” such as creating profiles on different social media outlets to reach populations, is a good place for organizations to start, according to ECRI. Users can then gauge how deep they want to get into different social platforms depending on feedback, comments and mentions. From there, an entity may decide to share success stories, which can help connect patients, former patients and the general public.

Defining an audience will dictate which social tools to use, according to the report. The audience could be a balance between internal and external people, too. For example, internal use could range from reporting weather delays to providing details about disaster recovery planning and response. External cases could revolve around the engagement of folks on general health news and community outreach opportunities.

In order to mitigate risks, there are a few steps organizations can take. One is to ensure that authorized users are in an organization’s social media policy. Staff should not be guessing whether they are able to participate in social media. There must be a staff member or team who is responsible for posting content, monitoring usage and looking for privacy breaches.

Entities should also have privacy policies in place that address pictures of patients, staff and visitors, ECRI stated. The need for these policies is highlighted by the individual who posted a picture of someone’s medical record to his Facebook page. A similar incident occurred at a Wisconsin hospital, where two nurses each took a picture of a patient’s x-ray and one posted it to her Facebook page, according to the report.

Health care social media does not only concern an organization’s current list of employees. The report noted that people who used to work in some capacity can pose risks. HIPAA privacy rules do not cover former employees since its focus is on “workforce” and “staff.”  Penalties can be handed down if it can be shown that an organization failed to adequately train staff regarding HIPAA obligations. Risk managers are urged to keep a look out for former employees who talk about former patients.

Even with its benefits and subsequent risks, social media has arrived on the scene and is not going anywhere. “I won’t tell you that you have to join Facebook or set up a Twitter account, but your patients and staff are using these tools,” said Paul Anderson, ECRI Institute director of risk management publications in a statement. “Healthcare managers would be shortsighted not to consider both the risks and benefits that social media presents.”

Global PACS market to double by 2017, report says

The worldwide picture archiving and communication system (PACS) market is set to grow from $2.8 billion in 2012 to $5.4 billion in 2017, according to the firm MarketResearch.com.

This growth will come largely due to government investment in PACS technology, spurred by the push to digitize health records and the introduction to the PACS market of the software as a service model, which significantly reduces the up-front cost of implementing PACS.

Demographic trends are also motivating health care providers to invest, CMIO notes in its analysis of the report. With the world population both growing — to more than 9 billion by 2050 — and aging — with the population over 65 years old expected to double by then — providers increasingly see the investment as a way to improve productivity and clinical outcomes.

PACS technology has long been a mainstay of radiology departments, and PACS integration is increasingly allowing hospitals to bring images from multiple systems into a hub. But growth projections for the PACS market aren’t limited to radiology — according to the report, oncology, endoscopy and other specialties are also adopting the systems.

As PACS use expands, organizations will have to compensate with additional IT investments, from larger (perhaps cloud-based) image archives to better bandwidth to accommodate PACS. Without these investments, growth in the PACS market unfortunately may not be money well spent.

Big data targets the health care industry

It’s no surprise that more pundits are starting to sing about big data and health care sittin’ in a tree — after all, the health care industry generates huge volumes of data, much of it unstructured. A blogger in today’s Wall Street Journal proclaims health care is the next frontier for big data, suggesting that physicians might be able to make better clinical decisions if they had access to a larger volume of medical data.

Other pundits feel that health care is underserved by big data, but game changers such as patients armed with smartphones and health care providers armed with tablets could speed things along. One physician blogger predicts that big data will become king in health care this year, kicking patient privacy to the curb.

It’s also possible that big data is just a buzzword, getting hyped by marketers and vendors that stand to gain by helping customers shuffle around huge amounts of data they may or may not really need.

But health care could be one industry that really would stand to benefit from big data analytics. Harnessing the ability to manage large data sets could reduce US health care expenditure by about 8%, according to a report published this year by the McKinsey Global Institute.

If there’s one thing the health care industry doesn’t need right now, it’s hype. Hopefully all this talk about big data in health care will lead to real improvements, and not just produce more snake oil.

Tap UK’s government site for health IT advice

Cruising the Web to check out a U.K. paper Brian Dolan over at MobiHealth News blogged about (the upshot: For iPad EHR implementations, the IT authorities do not recommend “Bring your own device” policies) led to our exploration of the country’s National Health System’s (NHS) IT guidance site, Connecting for Health (CfH).

Roughly equivalent to our own Office of the National Coordinator for Health IT, CfH offers “good practice guidelines” documents cataloging IT advice for small practices up to large hospitals, with an emphasis on governance and security - which loosely line up with the privacy and security ideas of the U.S. HIPAA law. For instance, HIPAA might not offer much in the way of guidance for health information risk management, although the law mandates it. NHS has a whole section devoted to it.

Some of the documents have a distinctly NHS flavor - as in, germane to a government-run, single payer monopsony - and therefore might not directly apply to the U.S. mélange of private, public and mixed payers. But, for instance, the Mobile Working Knowledge Centre lays out some pretty solid advice for anyone tackling the extension of their wired health IT networks to wireless computers, iPads or smartphones - down to the recommendation that IT staffers interface with human resources departments to establish policies for working outside of shift hours and away from the office, now their smartphone and iPads can access patient data.

“This should consider any legal implications, for example compliance with health and safety regulations, equal opportunities and diversity,” the CfH advises. “It may be necessary to change Terms and Conditions or contracts of employment, for example changing an employee’s base location from office to home. Other factors to bear in mind are policies around travel and expenses, possible insurance implications, flexible working arrangements (for example changes to core working hours) and minimum attendance at team meetings, etc.”

An interesting detail that may or may not have occurred to you en route to deploying Epic to physician iPhones, no? Explore the site; there’s a lot more to help walk you through these times of rapid health IT deployments - including case studies of individual health systems and their own deployments as well as sample policy documents like this PDF of one health system’s mobile devices policy.